[webkit-changes] [175724] trunk

Thu, 06 Nov 2014 16:18:50 -0800

Title: [175724] trunk
Revision
175724
Author
mark....@apple.com
Date
2014-11-06 16:18:23 -0800 (Thu, 06 Nov 2014)

Log Message

slow_path_get_direct_pname() needs to be hardened against a constant baseValue.
<https://webkit.org/b/138476>

Reviewed by Michael Saboff.

Source/_javascript_Core:

slow_path_get_direct_pname() currently assumes that the baseValue is always a
non-constant virtual register.  However, this is not always the case like in the
following:

    function foo() {
        var o = { a:1 };
        for (var n in o)
            0[n];
    }
    foo();

This patch fixes it to also check for constant virtual register indexes.

* runtime/CommonSlowPaths.cpp:
(JSC::SLOW_PATH_DECL):

LayoutTests:

* js/get-by-pname-expected.txt:
* js/script-tests/get-by-pname.js:
(getByPnameOnConstant):
(getByPnameOnVar):
- Added more test cases.

Modified Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (175723 => 175724)


--- trunk/LayoutTests/ChangeLog	2014-11-07 00:02:25 UTC (rev 175723)
+++ trunk/LayoutTests/ChangeLog	2014-11-07 00:18:23 UTC (rev 175724)
@@ -1,5 +1,18 @@
 2014-11-06  Mark Lam  <mark....@apple.com>
 
+        slow_path_get_direct_pname() needs to be hardened against a constant baseValue.
+        <https://webkit.org/b/138476>
+
+        Reviewed by Michael Saboff.
+
+        * js/get-by-pname-expected.txt:
+        * js/script-tests/get-by-pname.js:
+        (getByPnameOnConstant):
+        (getByPnameOnVar):
+        - Added more test cases.
+
+2014-11-06  Mark Lam  <mark....@apple.com>
+
         Refactor the get-by-pname.js test.
         <https://webkit.org/b/138483>

Modified: trunk/LayoutTests/js/get-by-pname-expected.txt (175723 => 175724)


--- trunk/LayoutTests/js/get-by-pname-expected.txt	2014-11-07 00:02:25 UTC (rev 175723)
+++ trunk/LayoutTests/js/get-by-pname-expected.txt	2014-11-07 00:18:23 UTC (rev 175724)
@@ -9,6 +9,37 @@
 PASS foo(q) is 3467
 PASS foo(r) is 113
 PASS foo(s) is 182
+PASS getByPnameOnConstant(a) is 0
+PASS getByPnameOnVar(a, 100) is 0
+PASS getByPnameOnVar(a, 'abc') is '0abc'
+PASS getByPnameOnVar(a, o) is 0
+PASS getByPnameOnVar(a, o1) is 4
+PASS getByPnameOnVar(a, a) is 6
+PASS getByPnameOnConstant(o1) is 0
+PASS getByPnameOnVar(o1, 100) is 0
+PASS getByPnameOnVar(o1, 'abc') is '0bc0'
+PASS getByPnameOnVar(o1, o) is 0
+PASS getByPnameOnVar(o1, o1) is 11
+PASS getByPnameOnVar(o1, a) is 5
+PASS getByPnameOnConstant(o) is 0
+PASS getByPnameOnVar(o, 100) is 0
+PASS getByPnameOnVar(o, 'abc') is 0
+PASS getByPnameOnVar(o, o) is 11
+PASS getByPnameOnVar(o, o1) is 0
+PASS getByPnameOnVar(o, a) is 0
+PASS getByPnameOnConstant(0) is 0
+PASS getByPnameOnVar(0, 100) is 0
+PASS getByPnameOnVar(0, 'abc') is 0
+PASS getByPnameOnVar(0, o) is 0
+PASS getByPnameOnVar(0, o1) is 0
+PASS getByPnameOnVar(0, a) is 0
+PASS getByPnameOnConstant('abc') is 0
+PASS getByPnameOnVar('abc', 100) is 0
+PASS getByPnameOnVar('abc', 'abc') is '0abc'
+PASS getByPnameOnVar('abc', o) is 0
+PASS getByPnameOnVar('abc', o1) is 4
+PASS getByPnameOnVar('abc', a) is 6
+PASS getByPnameOnVar('def', 'abc') is '0abc'
 
 Test tier: llint
 PASS foo(o) is 11
@@ -16,6 +47,37 @@
 PASS foo(q) is 3467
 PASS foo(r) is 113
 PASS foo(s) is 182
+PASS getByPnameOnConstant(a) is 0
+PASS getByPnameOnVar(a, 100) is 0
+PASS getByPnameOnVar(a, 'abc') is '0abc'
+PASS getByPnameOnVar(a, o) is 0
+PASS getByPnameOnVar(a, o1) is 4
+PASS getByPnameOnVar(a, a) is 6
+PASS getByPnameOnConstant(o1) is 0
+PASS getByPnameOnVar(o1, 100) is 0
+PASS getByPnameOnVar(o1, 'abc') is '0bc0'
+PASS getByPnameOnVar(o1, o) is 0
+PASS getByPnameOnVar(o1, o1) is 11
+PASS getByPnameOnVar(o1, a) is 5
+PASS getByPnameOnConstant(o) is 0
+PASS getByPnameOnVar(o, 100) is 0
+PASS getByPnameOnVar(o, 'abc') is 0
+PASS getByPnameOnVar(o, o) is 11
+PASS getByPnameOnVar(o, o1) is 0
+PASS getByPnameOnVar(o, a) is 0
+PASS getByPnameOnConstant(0) is 0
+PASS getByPnameOnVar(0, 100) is 0
+PASS getByPnameOnVar(0, 'abc') is 0
+PASS getByPnameOnVar(0, o) is 0
+PASS getByPnameOnVar(0, o1) is 0
+PASS getByPnameOnVar(0, a) is 0
+PASS getByPnameOnConstant('abc') is 0
+PASS getByPnameOnVar('abc', 100) is 0
+PASS getByPnameOnVar('abc', 'abc') is '0abc'
+PASS getByPnameOnVar('abc', o) is 0
+PASS getByPnameOnVar('abc', o1) is 4
+PASS getByPnameOnVar('abc', a) is 6
+PASS getByPnameOnVar('def', 'abc') is '0abc'
 
 Test tier: baseline
 PASS foo(o) is 11
@@ -23,6 +85,37 @@
 PASS foo(q) is 3467
 PASS foo(r) is 113
 PASS foo(s) is 182
+PASS getByPnameOnConstant(a) is 0
+PASS getByPnameOnVar(a, 100) is 0
+PASS getByPnameOnVar(a, 'abc') is '0abc'
+PASS getByPnameOnVar(a, o) is 0
+PASS getByPnameOnVar(a, o1) is 4
+PASS getByPnameOnVar(a, a) is 6
+PASS getByPnameOnConstant(o1) is 0
+PASS getByPnameOnVar(o1, 100) is 0
+PASS getByPnameOnVar(o1, 'abc') is '0bc0'
+PASS getByPnameOnVar(o1, o) is 0
+PASS getByPnameOnVar(o1, o1) is 11
+PASS getByPnameOnVar(o1, a) is 5
+PASS getByPnameOnConstant(o) is 0
+PASS getByPnameOnVar(o, 100) is 0
+PASS getByPnameOnVar(o, 'abc') is 0
+PASS getByPnameOnVar(o, o) is 11
+PASS getByPnameOnVar(o, o1) is 0
+PASS getByPnameOnVar(o, a) is 0
+PASS getByPnameOnConstant(0) is 0
+PASS getByPnameOnVar(0, 100) is 0
+PASS getByPnameOnVar(0, 'abc') is 0
+PASS getByPnameOnVar(0, o) is 0
+PASS getByPnameOnVar(0, o1) is 0
+PASS getByPnameOnVar(0, a) is 0
+PASS getByPnameOnConstant('abc') is 0
+PASS getByPnameOnVar('abc', 100) is 0
+PASS getByPnameOnVar('abc', 'abc') is '0abc'
+PASS getByPnameOnVar('abc', o) is 0
+PASS getByPnameOnVar('abc', o1) is 4
+PASS getByPnameOnVar('abc', a) is 6
+PASS getByPnameOnVar('def', 'abc') is '0abc'
 
 Test tier: dfg
 PASS foo(o) is 11
@@ -30,6 +123,37 @@
 PASS foo(q) is 3467
 PASS foo(r) is 113
 PASS foo(s) is 182
+PASS getByPnameOnConstant(a) is 0
+PASS getByPnameOnVar(a, 100) is 0
+PASS getByPnameOnVar(a, 'abc') is '0abc'
+PASS getByPnameOnVar(a, o) is 0
+PASS getByPnameOnVar(a, o1) is 4
+PASS getByPnameOnVar(a, a) is 6
+PASS getByPnameOnConstant(o1) is 0
+PASS getByPnameOnVar(o1, 100) is 0
+PASS getByPnameOnVar(o1, 'abc') is '0bc0'
+PASS getByPnameOnVar(o1, o) is 0
+PASS getByPnameOnVar(o1, o1) is 11
+PASS getByPnameOnVar(o1, a) is 5
+PASS getByPnameOnConstant(o) is 0
+PASS getByPnameOnVar(o, 100) is 0
+PASS getByPnameOnVar(o, 'abc') is 0
+PASS getByPnameOnVar(o, o) is 11
+PASS getByPnameOnVar(o, o1) is 0
+PASS getByPnameOnVar(o, a) is 0
+PASS getByPnameOnConstant(0) is 0
+PASS getByPnameOnVar(0, 100) is 0
+PASS getByPnameOnVar(0, 'abc') is 0
+PASS getByPnameOnVar(0, o) is 0
+PASS getByPnameOnVar(0, o1) is 0
+PASS getByPnameOnVar(0, a) is 0
+PASS getByPnameOnConstant('abc') is 0
+PASS getByPnameOnVar('abc', 100) is 0
+PASS getByPnameOnVar('abc', 'abc') is '0abc'
+PASS getByPnameOnVar('abc', o) is 0
+PASS getByPnameOnVar('abc', o1) is 4
+PASS getByPnameOnVar('abc', a) is 6
+PASS getByPnameOnVar('def', 'abc') is '0abc'
 
 PASS successfullyParsed is true

Modified: trunk/LayoutTests/js/script-tests/get-by-pname.js (175723 => 175724)


--- trunk/LayoutTests/js/script-tests/get-by-pname.js	2014-11-07 00:02:25 UTC (rev 175723)
+++ trunk/LayoutTests/js/script-tests/get-by-pname.js	2014-11-07 00:18:23 UTC (rev 175724)
@@ -9,18 +9,71 @@
     return result;
 }
 
+function getByPnameOnConstant(o) {
+    var result = 0;
+    for (var n in o)
+        result += 0[n] ? 0[n] : 0;
+    return result;
+}
+
+function getByPnameOnVar(o, v) {
+    var result = 0;
+    for (var n in o)
+        result += v[n] ? v[n] : 0;
+    return result;
+}
+
 var o = {a:1, b:3, c:7};
 var p = {a:1, b:2, c:3, d:4};
 var q = {a:1, b:2, c:3, d:4, e:3457};
 var r = {a:1, b:2, c:3, d:4, e:91, f:12};
 var s = {a:1, b:2, c:3, d:4, e:91, f:12, g:69};
 
+var a = [1, 2, 3];
+var o1 = {"1":1, "2":3, "3":7};
+
 var testCases = [
     [ "foo(o)", "11" ],
     [ "foo(p)", "10" ],
     [ "foo(q)", "3467" ],
     [ "foo(r)", "113" ],
     [ "foo(s)", "182" ],
+
+    [ "getByPnameOnConstant(a)", "0" ],
+    [ "getByPnameOnVar(a, 100)", "0" ],
+    [ "getByPnameOnVar(a, 'abc')", "'0abc'" ],
+    [ "getByPnameOnVar(a, o)", "0" ],
+    [ "getByPnameOnVar(a, o1)", "4" ],
+    [ "getByPnameOnVar(a, a)", "6" ],
+
+    [ "getByPnameOnConstant(o1)", "0" ],
+    [ "getByPnameOnVar(o1, 100)", "0" ],
+    [ "getByPnameOnVar(o1, 'abc')", "'0bc0'" ],
+    [ "getByPnameOnVar(o1, o)", "0" ],
+    [ "getByPnameOnVar(o1, o1)", "11" ],
+    [ "getByPnameOnVar(o1, a)", "5" ],
+
+    [ "getByPnameOnConstant(o)", "0" ],
+    [ "getByPnameOnVar(o, 100)", "0" ],
+    [ "getByPnameOnVar(o, 'abc')", "0" ],
+    [ "getByPnameOnVar(o, o)", "11" ],
+    [ "getByPnameOnVar(o, o1)", "0" ],
+    [ "getByPnameOnVar(o, a)", "0" ],
+
+    [ "getByPnameOnConstant(0)", "0" ],
+    [ "getByPnameOnVar(0, 100)", "0" ],
+    [ "getByPnameOnVar(0, 'abc')", "0" ],
+    [ "getByPnameOnVar(0, o)", "0" ],
+    [ "getByPnameOnVar(0, o1)", "0" ],
+    [ "getByPnameOnVar(0, a)", "0" ],
+
+    [ "getByPnameOnConstant('abc')", "0" ],
+    [ "getByPnameOnVar('abc', 100)", "0" ],
+    [ "getByPnameOnVar('abc', 'abc')", "'0abc'" ],
+    [ "getByPnameOnVar('abc', o)", "0" ],
+    [ "getByPnameOnVar('abc', o1)", "4" ],
+    [ "getByPnameOnVar('abc', a)", "6" ],
+    [ "getByPnameOnVar('def', 'abc')", "'0abc'" ],
 ];
 
 function testExpr(index) {

Modified: trunk/Source/_javascript_Core/ChangeLog (175723 => 175724)


--- trunk/Source/_javascript_Core/ChangeLog	2014-11-07 00:02:25 UTC (rev 175723)
+++ trunk/Source/_javascript_Core/ChangeLog	2014-11-07 00:18:23 UTC (rev 175724)
@@ -1,3 +1,26 @@
+2014-11-06  Mark Lam  <mark....@apple.com>
+
+        slow_path_get_direct_pname() needs to be hardened against a constant baseValue.
+        <https://webkit.org/b/138476>
+
+        Reviewed by Michael Saboff.
+
+        slow_path_get_direct_pname() currently assumes that the baseValue is always a
+        non-constant virtual register.  However, this is not always the case like in the
+        following:
+
+            function foo() {
+                var o = { a:1 };
+                for (var n in o)
+                    0[n];
+            }
+            foo();
+
+        This patch fixes it to also check for constant virtual register indexes.
+
+        * runtime/CommonSlowPaths.cpp:
+        (JSC::SLOW_PATH_DECL):
+
 2014-11-06  Michael Saboff  <msab...@apple.com>
 
         REGRESSION (r174985-174986): Site display disappears

Modified: trunk/Source/_javascript_Core/runtime/CommonSlowPaths.cpp (175723 => 175724)


--- trunk/Source/_javascript_Core/runtime/CommonSlowPaths.cpp	2014-11-07 00:02:25 UTC (rev 175723)
+++ trunk/Source/_javascript_Core/runtime/CommonSlowPaths.cpp	2014-11-07 00:18:23 UTC (rev 175724)
@@ -569,7 +569,7 @@
 SLOW_PATH_DECL(slow_path_get_direct_pname)
 {
     BEGIN();
-    JSValue baseValue = OP(2).jsValue();
+    JSValue baseValue = OP_C(2).jsValue();
     JSValue property = OP(3).jsValue();
     ASSERT(property.isString());
     RETURN(baseValue.get(exec, property.toString(exec)->toIdentifier(exec)));

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to